Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Managing the Server Certificate

The server certificate is used for secure communication between the client browser and a web server. It implements encrypted data transmission between the client and web server. For security purposes, replace the original certificate with your customized certificate and promptly update the certificate.

Prerequisites

You have logged in to the Kunpeng DevKit.

Only the administrator devadmin can generate a certificate signing request (CSR) file, import the certificate, download root certificates, restart the service, and change the working key. Common users can only view certificate information.

Querying the Current Server Certificate

  1. Click in the upper right corner of the page. Choose General Settings > Certificate Management > Server Certificate.
  2. Query the information of the certificate. See Figure 1. Table 1 describes the parameters.
    Figure 1 Server certificate information
    Table 1 Parameter description

    Parameter

    Description

    Certificate

    Name of the certificate.

    Validity Period

    Certificate validity period.

    Status

    Current status of the certificate. The certificate status can be any of the following:

    • Valid: The certificate is valid.
    • About to expire: The remaining validity period of the certificate is less than or equal to the certificate expiration alarm threshold.
    • Expired: The certificate has expired.
    NOTE:
    • The tool automatically checks and updates the certificate status every day.
    • By default, the web server certificate expiration alarm threshold is 90 days. The administrator can click in the upper right corner of the Kunpeng DevKit home page and choose System Settings and set the certificate expiration alarm threshold. The certificate expiration alarm threshold ranges from 7 to 180 days.

    Operation

    Operations that can be performed. You can perform the following operations:

    • Download a root certificate.
      NOTE:

      If a security alert is displayed when you use a browser to log in to the Kunpeng DevKit, you can import the root certificate for the tool to mask the security alert.

    • Generate a CSR file.
      NOTE:

      CSR is short for certificate signing request. When a certificate applicant applies for a digital certificate, the cryptographic service provider (CSP) generates a private key and a CSR. After the certificate applicant submits the CSR file to the CA, the CA uses the private key of the root certificate to generate a public key file, that is, a certificate.

    • Import the certificate.
    • Restart a service.
    • Updating the working key

Customizing and Importing a Server Certificate

  1. On the Server Certificates tab page, click Generate CSR File. The Generate CSR File page is displayed, as shown in Figure 2. Table 2 describes the parameters.
    Figure 2 Generating a CSR file
    Table 2 Parameter description

    Parameter

    Description

    Country

    Country of the user.

    This parameter is mandatory. The value must be a two-letter country code.

    Province

    Province of the user.

    The value can contain a maximum of 128 characters, allowing letters, digits, hyphens (-), underscores (_), periods (.), and spaces.

    City

    City of the user.

    The value can contain a maximum of 128 characters, allowing letters, digits, hyphens (-), underscores (_), periods (.), and spaces.

    Company

    Company of the user.

    The value can contain a maximum of 64 characters, allowing letters, digits, hyphens (-), underscores (_), periods (.), and spaces.

    Department

    Department of the user.

    The value can contain a maximum of 64 characters, allowing letters, digits, hyphens (-), underscores (_), periods (.), and spaces.

    Common Name

    Name of the user.

    The value can contain a maximum of 64 characters, allowing letters, digits, hyphens (-), underscores (_), periods (.), and spaces.
  2. Click OK to generate a CSR file.
  3. Send the generated CSR file to the SSL certificate authority to apply for an SSL certificate.

    After obtaining the formal SSL certificate, save it to the client.

    You can also obtain a formal certificate by using a self-signed digital certificate based on the root certificate.

  4. Click Import Certificate.

    The Import Certificate dialog box is displayed.

  5. Click , select the certificate to be imported, and click Import.
    • The certificate file to be imported must be in *.crt, *.cer, or *.pem format and cannot exceed 1 MB.
    • The CSR file generated in 1 correlates with the server certificate applied from the CA. Do not generate a new CSR file before importing the server certificate. Otherwise, you have to use the new CSR file to apply for a new server certificate from the CA.
    • If the SSL certificate imported is not obtained from a CA, check whether the browser has the root certificate.
  6. After the import is complete, click Close.
  7. Click Restart Service for the certificate to take effect.

    If you manually restart the Nginx service on the server, the certificate does not take effect. You must restart the Nginx service on the WebUI.

Updating the Working Key

The working key is used to encrypt the password for starting the Nginx service. For security purposes, you are advised to update the working key periodically.

  1. Click in the upper right corner of the page. Choose General Settings > Certificate Management > Server Certificate.
  2. Click Update Working Key. In the dialog box that is displayed, click OK. Then click Restart Service for the change to take effect.
Parent topic: Certificate Management